Watch McAfee’s Hcommerce: The Business of Hacking You Video Series

June 13, 2009

If you aren’t yet aware of, or just haven’t been following McAfee’s 6 short video series on Hcommerce, you need to check it out at stopHcommerce.com.

Hcommerce stands for “Hacker commerce”, the economic model behind online crimes and the ways criminals use internet services and tools to exploit consumers.

The compelling series focuses on real victims of cybercrime, and how one family ultimately lost over $400,000 in a scam promising inheritance money from a dead family member. It shows how the criminals went about the scam and will help you understand both the scope of cybercrime today and how quickly you can fall victim if you fail to take some basic safeguards.

Most internet users still do not understand how vulnerable they are to cybercrime. A Consumer Reports research survey was cited by President Obama in his May 29th address to the nation: “Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied.  According to one survey, in the past two years alone cyber crime has cost Americans more than $8 billion.”

If you have been procrastinating about securing your computers and learning how to identify Internet scams, it’s time to take action now. McAfee has created a 2-page handout to help you learn more about cybercriminals and what you can do to protect yourself.

Linda


What went wrong online?… And who’s to blame for Internet safety risks?

February 15, 2007

Predators are ‘equal opportunity offenders’ happy to target victims of any age. Youth represent one segment, but many adults and seniors are equally at risk, though the exploitation of these groups is more often for financial gain.

Adults are nearly as likely as youth to expose their name, address, phone number, and other identifying, or emotionally vulnerable information. They may do it in different ways like through online resumes or a corporate bio, or they may be exposing it like youth through dating sites, personal blogs, etc.

Adults are more likely to provide automated email responses announcing they will be out of town or blog from Africa about their 6 month expedition. Either way they inform criminals of when & where to find an empty home of an individual wealthy enough to be gone. Seniors post genealogy information that exposes entire extended families – birth dates, birth places, mother’s maiden names etc. – how often is this information the password reminder for your banking? Adults show photos and brag about their children & grandchildren and may inadvertently be posing the greatest threat to a child, a teen or their own safety.

Few adults, seniors, teens or children would stand on a street corner and shout out personal information, or deliberately expose themselves to risk. What is different online?

Seven key factors contribute to the current state of affairs:

  • Failure to define or understand ‘internet safety’ Few industry insiders, let alone consumers, can define the difference between internet security and internet safety. Most incorrectly assume that by enabling security they’ve covered the issues. However, internet security is aimed at protecting data and devices; Internet safety is about protecting people. There is considerable overlap in these two areas, but there is also unique distinction.

A company can build a nearly ‘secure product’, that no one has hacked into, yet it may utterly fail to protect the consumers who use it. MySpace is a great case in point. Virtually all products that enable social networking have safety failures – other Internet services have their own failures. The public outrage over MySpace is not because their databases were compromised, it is because the product itself fails to protect or even adequately warn consumers.

  • Lack of industry focus on Internet safety Safety was not built into existing products for the simple reason that internet providers didn’t see how to make money from it. They also seriously underestimated the exploitation potential in spite of repeated warnings. One fallout of the dot.com bubble bursting is that if a ‘feature’ doesn’t make money the feature doesn’t get built – unless there’s a regulation requiring it. Security & privacy tools are big business with high demand by companies willing to pay to keep services running and comply with regulatory requirements.

Businesses (incorrectly) believed safety was a consumer-only concern without real revenue potential. The few halfhearted attempts by large companies to provide internet safety boiled down to two dimensional ‘parental control’ products (Block and Filter) that were poorly funded and never got past a ‘v.1′ level. They were (and are) pricey, cumbersome, largely ineffective and gravely misunderstood what families were asking for. Predictably they failed miserably and were ‘deprioritized’. None of these tools is even close to a standard that can adequately respond to today’s Internet services.

It is only in the wake of serious media, regulatory and consumer focus on the lack of inherent safety in products that companies are revisiting their priorities. Even now very few companies are making an adequate investment to rectify the situation. Most still see safety features as a ‘tax’ rather than a benefit to their bottom line, and developers are rewarded for building ‘cool’ features that increase the number of users, not safety.

  • Insufficient understanding of human interactions and predators Internet companies don’t hire many sociologists; they hire developers without training in social dynamics, social engineering or predatory behavior. The few companies that did hire sociologists largely set aside the concerns that were raised in the same way the industry as a whole disregarded the warnings from outside experts.
  • Lack of immediate cause and effect Criminals don’t leave business cards. Most people won’t know that the crime they fell victim to was enabled by an action they, their friend,  their child or someone angry at them, took on the Internet. That the reason their home or car was burgled is because someone made a comment online or posted information online that they would be away, or bragged about possessions. They won’t know if their credit card or ID was stolen by someone dumpster diving, a waiter in the restaurant last month, or an online scam. Or that the reason they were targeted for a hate crime or harassment, or became the target of a sexual predator was information found online. Possibly the specific online activity that triggered the crime happened months, even years, earlier.
  • Inadequate, fear based safety messaging Too much of the current ‘Internet safety’ messaging is fear based, and lacks useful information about real products. Using fear to ‘scare’ people into safer internet practices isn’t only ineffective; it damages the credibility of any safety messages – especially when frequently cited.

Advice akin to “never post a photo” is absurd. Posting a picture of a mountain scene isn’t likely to cause harm. Nor is posting a very personal photo that can be accessed only by family or close friends. Effective safety messaging needs to teach principles like how to recognize the information displayed in a photo (and accompanying text, video, audio, attachments, links, etc.), and help you consider who you may want to share or not share the information with.

“Online Stranger Danger” messages are as misguided as ‘offline stranger danger’ messages. Most victims of sexual crimes are abused by someone they know. Effective prevention messaging teaches that some actions, attitudes and conversations are never appropriate – whether they are from a stranger, from the neighbor, from uncle bob, or from mommy. The message is relevant whether taught to a child or a senior.

Online safety skills are not just for ‘youth’. Consumers of every age and level of technical expertise are sorely lacking in online safety education – including, those developing internet products.

Internet scaremongering is the latest version of witch hunting and boogeyman tales. News headlines hyping Internet risks can be compared with news titles in the vein of  ‘Roads kill over 40,000 people every year in the US’. It’s true, but if the proposed solution was to abolish roads the ‘expert’ would be laughed off the stage.

Safety messaging needs explain both potential risks and how to evaluate what risks you are comfortable with. Risk aversion or risk tolerance thresholds, like morality based filter options, are personal & familial value choices not dictated by companies, governments, or any educational program.

  • Failure to define roles & responsibilities of stakeholders There are 5 key stakeholder groups – 1) Industry companies & organizations, 2) governments & regulators, 3) law enforcement & oversight boards, 4) individuals & families, and 5) schools & other educational resources.

Without concerted efforts by all stakeholder groups the web of safety society needs will continue to have gaps. While integration of effort is complicated, the level of collaboration required is nothing new. These stakeholder groups have had to coordinate efforts to tackle responsibilities many, many times – road safety, drug safety, health issues, etc. Somehow society and companies fail to anticipate these requirements with each new product area. There is failure today to build in the safety requirements of video sharing, VoIP. One bright spot is the preparation some mobile providers are investing in to avert the mobile Internet safety issues, and they should be commended for doing so.

  • Three intertwined myths – 1) Internet risks are new, 2) The problem is the lack of education, and 3) those most responsible for solving the problem are parents How convenient – it’s YOUR fault.

1) Internet risks aren’t new The public outcry around the dangers of chat rooms in 2003 i (a more primitive form of social networking by an old and now tainted name) forced major companies to shut down, or significantly increase their monitoring of chat services years ago. The plague of spam and the scams involved in it has hounded the industry in spite of prophetic statements regarding its cure ii.The lesson should have been learned by mistakes made years ago that building products without safety features in place is a game of roulette where consumers always lose.

2) The problem isn’t lack of education – education alone isn’t a panacea The problem is the lack of education + lack of products designed and built with safety in mind so that the entire infrastructure provided safety + and lack of enforcement to ensure that products comply with safety standards, consumers comply with safety requirements, and criminals can be caught and punished.

The only way to get safer products is to build safer products. To ensure safer products are built, there must be standards that products are tested against to enforce safety – and there must be motivation for companies to meet those standards and to do so in a way that enables consumers of all skill levels to understand products and use them safely…And there needs to be safety education provided in a concerted way by companies, families, schools & other educational groups, law enforcement and governments, so that real safety is consistently taught and reinforced.

3) Claiming that parents own the primary responsibility iii for protecting minors online is like claiming parents are primarily responsible for traffic deaths of teens Families are responsible for teaching minors to be safe in traffic and even physically set boundaries – doors, locks, fences, etc – to ensure safety. But we also demand that the roads are safe and safety is enforced.

If someone hands a 14-year-old keys to a faulty car and says “go have fun” would society blame the parents for the ensuing crash? Each of the 5 stakeholder groups has some ‘primary responsibility’.

Companies have primary responsibility when they provide minors access to products that can hurdle them through cyberspace at warp speed but don’t provide a user manual, require drivers’ education, provide brakes, locks, airbags, fenders on sharp turns, banked roadways for safer navigation – or speed limits. Usually companies have provided access without parental consent or knowledge. You can’t get a drivers license in the real world without proof of age and, for minors, parental consent.

Companies have primary responsibility to post notice that a once sleepy country lane is about to become an 8-lane freeway and to inform consumers about ‘upgrades’ that will add turbo engines to once-humble products. Many adult IM users are surprised to discover that IM is far beyond the ‘real-time email’ service they thought they knew. IM now includes:

  • Rich Profiles (no filter for images or text, may include location data)
  • Avatars and winks (but no feature to filter for appropriate images)
  • Extended networking ala friends of friends (about 30% of teen’s IM friends are people they’ve never met, this potentially extends access strangers friends)
  • Image & File sharing (no feature to filter files)
  • Video, and music player (no feature to restrict content by rating)
  • Buddy searches (where a ‘friend’ can steer the search)
  • Online auction & dating integration
  • Remote access (that can give control of the entire PC to someone else)
  • Shopping
  • Bots, gadgets that can manage things like tracking friends locations
  • Etc.

All of these features have great, positive uses and service providers aren’t done upgrading products yet. There is no reason to opposed to any one of these features…but, consumers have the right to be informed about each new feature that potentially changes exposure to risk and be able to determine whether the risk potential is appropriate for their families. Consumers have the right to expect that content settings established for search results are also applied to content found within the products. The modern method of automatic ‘upgrades’ without notification bears resemblance to the old ‘bait and switch’.

Government has primary responsibility To ensure roads aren’t built without proper traffic and pedestrian impact evaluations and that there are clear safety regulations that are adhered to when building the roads. 8-lane freeways are not allowed through suburban neighborhoods where children play on the streets. Whenever pedestrians – or even slower traffic is involved – regulations require public hearings, overpasses, underpasses, rerouting, warning lights, barriers, reduced speed limits, etc. Government is also responsible for public service messages about traffic safety.

Law enforcement has primary responsibility To monitor society’s safety, prevent crime and bring to justice those who break the law. Yet, adequate laws & regulations are missing to facilitate enforcement, and adequate safety features weren’t built into the products to reduce the potential for exploitation. Additionally there has been a critical failure to allocate for law enforcement the funding, training and resources they need in order to provide the level of safety we expect.

Crime has always enjoyed better funding than law enforcement, but without assurances of basic safety enforcement the public will not be able to fully realize the tremendous opportunities the Internet has to offer.

Schools have primary responsibility for teaching youth the tools and skills they need to be successful members of society. Mastering the Internet and Internet safety have become critical life skills. But, who taught teachers how to teach Internet safety, or provided curriculum for classrooms – especially when too much of the existing ‘safety messaging’ is fear based and inaccurate.

Who’s to blame for failing in their primary responsibility? Families that didn’t even know a company gave their child access to a product that is missing basic safeguards?

Companies that failed to build basic safeguards into products or inform consumers of risk?

The government who failed to set regulations requiring safeguards of companies who failed to adequately self regulate, then failed in adequately fund law enforcement or provide curriculum & funding for schools?

Schools for failing to teach kids critical online safety life-skills and failed to develop a curriculum? Failed to send home adequate notices to families?

Families who failed to demand adequate safety of companies and failed to demand governments regulate the industries, or pay for increased law enforcement needs?

There is enough blame to fodder lawsuits for years to come.

In the meantime, each of the 5 stakeholder groups must invest more in Internet safety in order to deliver on their responsibilities in each of the three action areas – education, safer product infrastructure, and enforcing safety, and we need to do so in a far more coordinated method than has happened to date.

We can do this. We’ve done it in other industries and on other issues, but there is no time to waste.


[i] Microsoft to Shut Down Chat Rooms

Reuters Sep, 23, 2003

LONDON — Microsoft said Wednesday it would shut down its Internet chat rooms in 28 countries, saying the forums had become a haven for peddlers of junk e-mail and sex predators.

“The straightforward truth of the matter is free, unmoderated chat isn’t safe,” said Geoff Sutton, European general manager of Microsoft MSN.

[ii] Gates: Spam To Be Canned By 2006

(AP) A spam-free world by 2006? That’s what Microsoft Corp. chairman Bill Gates is promising.

“Two years from now, spam will be solved,” he told a select group of World Economic Forum participants at this Alpine ski resort. “And a lot of progress this year,” he added at the event late Friday, hosted by U.S. talk show host Charlie Rose.

[iii] Texas judge tosses MySpace lawsuit

Feb. 15 2007 — A federal judge in Texas has dismissed a lawsuit filed against MySpace.com by the parents of a girl allegedly assaulted by a man she met on the Web site.
“If anyone had a duty to protect Julie Doe, it was her parents, not MySpace,” Judge Sam Sparks wrote in a ruling dismissing the case, the Los Angeles Times reported Thursday.

The parents of the 13-year-old girl had sued News Corp., which owns the popular social-networking Web site, for $30 million, saying the site doesn’t protect its members sufficiently. The Times said at least four similar cases are pending in Los Angeles County Superior Court.

In the Texas case, authorities in Travis County have charged a 19-year-old man with sexual assault. Julie Doe listed her age as 18 when she joined MySpace, court documents said. Judge Sparks, of the U.S. District Court in Austin, applied the 1996 Communications Decency Act, holding MySpace to the same standard as Internet service providers, the Times said.


Follow

Get every new post delivered to your Inbox.

Join 1,762 other followers